On 07/12/2008 12:14:21  AM +0200, Christian Seiler <[EMAIL PROTECTED]> wrote:
> Hi,
>> I compile my server binaries and never rely on pre-compiled versions; I 
>> _never_ imagined using Apache without suexec which IMHO is a complete 
>> nonsense and should be a default behavior. Finally I never imagined 
>> running any virtualhost with the Apache user. That way, running Apache 
>> compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe.
> What do you mean by not using the Apache user? I know there are several
> MPMs back there that do what mpm_perchild should have done, but they
> have (as far as I can tell) some major drawbacks themselves (for
> example, at least one has to run the mod_ssl code as root which is
> really bad should there be a buffer overflow).

I mean any CGI/FastCGI/executables of some kind must not run as the same 
user apache children run. This easy to do: just set the suexecusergroup 
directive inside the default virtualhost (or the first) with a different 
user as the User directive. I am not talking about static content which 
is harmless to run as the same user.

> And if you don't run your virtual hosts as a spearate user, even with
> suexec there is a very small vulnerability window to grab the
> authentication data. That's why I understand the Apache people for not
> passing the Authorization header by default.

There is not such a small window because suexec is setuid, thus AFAIK 
the environment is passed when the process memory footprint is already 
owned by root. Besides, that environment is only readable by the apache 
user, who in a correct suexec setup doesn't run any CGI directly (it 
only runs apache children). Obviously, that Apache user must be a 
dedicated user, and not a generic anonymous user which multiple 
applications are running under. (i.e. If your "nobody" user is only used 
by Apache processes, it's OK)

Apache people set that compile flag off by default because suexec is by 
far not a "default" feature. There is so many Apache setups out there 
running everything with a single user, even some shared hosting providers.

>> It is then better to keep the default apache 
>> configuration safe by _not_ opening such security issues and applying 
>> the patch you proposed directly at the module level.
> Or to always pass the Authorization header at module level (which I also
> proposed).

CGI/FastCGI processes are not designed to parse HTTP headers, we should 
not pass them more headers. But if you mean always converting the 
Authorization header to its HTTP_ corresponding environment variable, I 
think it is safe to do so.


Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Mod-fcgid-users mailing list

Reply via email to